Network Security Topologies


Published on

  • Be the first to comment

  • Be the first to like this

Network Security Topologies

  1. 1. Network Security Topologies Chapter 11
  2. 2. Learning Objectives <ul><li>Identify place and role of the demilitarized zone </li></ul><ul><li>NAT and PAT </li></ul><ul><li>Tunneling in network security </li></ul><ul><li>Describe security features of VLANS </li></ul><ul><li>Network perimeter’s importance to an organization’s security policies </li></ul>
  3. 3. Perimeter Security Topologies <ul><li>Any network that is connected (directly or indirectly) to your organization, but is not controlled by your organization, represents a risk. </li></ul><ul><li>Firewalls deployed on the network edge enforce security policies and create choke points on network perimeters. </li></ul><ul><li>Include demilitarized zones (DMZs) extranets, and intranets </li></ul>continued…
  4. 4. Perimeter Security Topologies <ul><li>The firewall must be the gateway for all communications between trusted networks, untrusted and unknown networks. </li></ul><ul><li>The firewall should selectively admit or deny data flows from other networks based on several criteria: </li></ul><ul><ul><li>Type (protocol) </li></ul></ul><ul><ul><li>Source </li></ul></ul><ul><ul><li>Destination </li></ul></ul><ul><ul><li>Content </li></ul></ul>
  5. 5. Three-tiered Architecture <ul><li>Outermost perimeter </li></ul><ul><ul><li>Router used to separate network from ISP’s network </li></ul></ul><ul><ul><li>Identifies separation point between assets you control and those you do not </li></ul></ul><ul><ul><li>Most insecure area of a network infrastructure </li></ul></ul><ul><ul><li>Normally reserved for routers, firewalls, public Internet servers (HTTP, FTP, Gopher) </li></ul></ul><ul><ul><li>Not for sensitive company information that is for internal use only </li></ul></ul>
  6. 6. Three-tiered Architecture <ul><li>Outermost perimeter </li></ul><ul><li>Internal perimeters </li></ul><ul><ul><li>Represent additional boundaries where other security measures are in place </li></ul></ul><ul><ul><li>multiple internal perimeters are relative to a particular asset, such as the internal perimeter that is just inside the firewall. </li></ul></ul><ul><li>Innermost perimeter </li></ul>
  7. 7. Network Classifications <ul><li>When a network manager creates a network security policy, each network that makes up the topology must be classified as one of three types of networks: </li></ul><ul><ul><li>Trusted </li></ul></ul><ul><ul><li>Semi-trusted </li></ul></ul><ul><ul><li>Untrusted </li></ul></ul>
  8. 8. Trusted Networks <ul><li>When you set up the firewall, you explicitly identify the type of networks via network adapter cards. After the initial configuration, the trusted networks include the firewall and all networks behind it. </li></ul><ul><li>VPNs are exceptions - security mechanisms must exist by which the firewall can authenticate the origin, data integrity, and other security principles contained within the network traffic according to the same security principles enforced on your trusted networks. </li></ul>
  9. 9. Semi-Trusted Networks <ul><li>Allow access to some database materials and e-mail </li></ul><ul><li>May include DNS, proxy, and modem servers </li></ul><ul><li>Not for confidential or proprietary information </li></ul><ul><li>Referred to as the demilitarized zone (DMZ) </li></ul>
  10. 10. Untrusted Networks <ul><li>Outside your security perimeter and control, however you may still need and want to communicate with these networks. </li></ul><ul><li>When you set up the firewall, you explicitly identify the untrusted networks from which that firewall can accept requests. </li></ul>
  11. 11. Unknown Networks <ul><li>Unknown networks are neither trusted nor untrusted </li></ul><ul><li>By default, all nontrusted networks are considered unknown networks </li></ul><ul><li>You can identify unknown networks below the Internet node and apply more specialized policies to those untrusted networks. </li></ul>
  12. 12. Two Perimeter Networks <ul><li>Positioning your firewall between an internal and external router provides little additional protection from attacks on either side, but it greatly reduces the amount of traffic that the firewall must evaluate, which can increase the firewall's performance. </li></ul>
  13. 13. Creating and Developing Your Security Design <ul><li>Know your enemy </li></ul><ul><ul><li>Security measures can’t stop all unauthorized tasks; they can only make it harder. </li></ul></ul><ul><ul><li>The goal is to make sure that security controls are beyond the attacker's ability or motivation. </li></ul></ul><ul><li>Know the costs and weigh those costs against the potential benefits. </li></ul><ul><li>Identify assumptions - For example, you might assume that your network is not tapped, that attackers know less than you do, that they are using standard software, or that a locked room is safe. </li></ul>
  14. 14. Creating and Developing Your Security Design <ul><li>Control secrets - What knowledge would enable someone to circumvent your system? </li></ul><ul><li>Know your weaknesses and how it can be exploited </li></ul><ul><li>Limit the scope of access - create appropriate barriers in your system so that if intruders access one part of the system, they do not automatically have access to the rest of the system. </li></ul><ul><li>Understand your environment - Auditing tools can help you detect those unusual events. </li></ul><ul><li>Limit your trust: people, software and hardware </li></ul>
  15. 15. DMZ <ul><li>Used by a company to host its own Internet services without sacrificing unauthorized access to its private network </li></ul><ul><li>Sits between Internet and internal network’s line of defense, usually some combination of firewalls and bastion hosts </li></ul><ul><li>Traffic originating from it should be filtered </li></ul>continued…
  16. 16. DMZ <ul><li>Typically contains devices accessible to Internet traffic </li></ul><ul><ul><li>Web (HTTP) servers </li></ul></ul><ul><ul><li>FTP servers </li></ul></ul><ul><ul><li>SMTP (e-mail) servers </li></ul></ul><ul><ul><li>DNS servers </li></ul></ul><ul><li>Optional, more secure approach to a simple firewall; may include a proxy server </li></ul>
  17. 17. DMZ Design Goals <ul><li>Minimize scope of damage </li></ul><ul><li>Protect sensitive data on the server </li></ul><ul><li>Detect the compromise as soon as possible </li></ul><ul><li>Minimize effect of the compromise on other organizations </li></ul><ul><li>The bastion host is not able to initiate a session back into the private network. It can only forward packets that have already been requested. </li></ul>
  18. 18. DMZ Design Goals <ul><li>A useful mechanism to meet goals is to add the filtering of traffic initiated from the DMZ network to the Internet, impairs an attacker's ability to have a vulnerable host communicate to the attacker's host </li></ul><ul><ul><li>keep the vulnerable host from being exploited altogether </li></ul></ul><ul><ul><li>keep a compromised host from being used as a traffic-generating agent in distributed denial-of-service attacks. </li></ul></ul><ul><ul><li>The key is to limit traffic to only what is needed, and to drop what is not required, even if the traffic is not a direct threat to your internal network </li></ul></ul>
  19. 19. DMZ Design Goals <ul><li>Filtering DMZ traffic would identify </li></ul><ul><ul><li>traffic coming in from the DMZ interface of the firewall or </li></ul></ul><ul><ul><li>router that appears to have a source IP address on a network other the DMZ network number (spoofed traffic). </li></ul></ul><ul><li>the firewall or router should be configured to initiate a log message or rule alert to notify administrator </li></ul>
  20. 21. Intranet <ul><li>Typically a collection of all LANs inside the firewall ( campus network .) </li></ul><ul><li>Either a network topology or application (usually a Web portal) used as a single point of access to deliver services to employees </li></ul><ul><li>Shares company information and computing resources among employees </li></ul><ul><li>Allows access to public Internet through firewalls that screen communications in both directions to maintain company security </li></ul>continued…
  21. 22. Extranet <ul><li>Private network that uses Internet protocol and public telecommunication system to provide various levels of accessibility to outsiders </li></ul><ul><li>Requires security and privacy </li></ul><ul><ul><li>Firewall management </li></ul></ul><ul><ul><li>Issuance and use of digital certificates or other user authentication </li></ul></ul><ul><ul><li>Encryption of messages </li></ul></ul><ul><ul><li>Use of VPNs that tunnel through the public network </li></ul></ul>
  22. 23. Extranet <ul><li>Companies can use an extranet to: </li></ul><ul><ul><li>Exchange large volumes of data </li></ul></ul><ul><ul><li>Share product catalogs exclusively with wholesalers or those in the trade </li></ul></ul><ul><ul><li>Collaborate with other companies on joint development efforts </li></ul></ul><ul><ul><li>Jointly develop and use training programs with other companies </li></ul></ul><ul><ul><li>Provide or access services provided by one company to a group of other companies, such as an online banking application managed by one company on behalf of affiliated banks </li></ul></ul><ul><ul><li>Share news of common interest exclusively with partner companies </li></ul></ul>
  23. 24. Network Address Translation (NAT) <ul><li>Internet standard that enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic </li></ul><ul><li>Provides a type of firewall by hiding internal IP addresses </li></ul><ul><li>Enables a company to use more internal IP addresses. </li></ul>
  24. 25. NAT <ul><li>Most often used to map IPs from nonroutable private address spaces defined by RFC 1918 that either do not require external access or require limited access to outside services </li></ul><ul><ul><li>A … </li></ul></ul><ul><ul><li>B … </li></ul></ul><ul><ul><li>C … </li></ul></ul>
  25. 26. NAT <ul><li>Static NAT and dynamic NAT </li></ul><ul><ul><li>Dynamic NAT is more complex because state must be maintained, and connections must be rejected when the pool is exhausted. </li></ul></ul><ul><ul><li>Unlike static NAT, dynamic NAT enables address reuse, reducing the demand for legally registered public addresses. </li></ul></ul>
  26. 27. PAT <ul><li>Port Address Translation (PAT) </li></ul><ul><ul><li>Variation of dynamic NAT </li></ul></ul><ul><ul><li>Allows many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers </li></ul></ul><ul><ul><li>suppose private hosts and both send packets from source port 1108. A PAT router might translate these to a single public IP address and two different source ports, say 61001 and 61002. </li></ul></ul><ul><ul><li>Because PAT maps individual ports, it is not possible to &quot;reverse map&quot; incoming connections for other ports unless another table is configured </li></ul></ul>
  27. 28. PAT and NAT <ul><li>In some cases, static NAT, dynamic NAT, PAT, and even bidirectional NAT or PAT may be used together </li></ul><ul><ul><li>Web servers can be reached from the Internet without NAT, because they live in public address space. </li></ul></ul><ul><ul><li>Simple Mail Transfer Protocol (SMTP) must be continuously accessible through a public address associated with DNS entry, the mail server requires static mapping (either a limited-purpose virtual server table or static NAT). </li></ul></ul><ul><ul><li>For most clients, public address sharing is usually practical through dynamically acquired addresses (either dynamic NAT with a correctly sized address pool, or PAT). </li></ul></ul><ul><ul><li>Applications that hold onto dynamically acquired addresses for long periods could exhaust a dynamic NAT address pool and block access by other clients. To prevent this, PAT is used because it enables higher concurrency (thousands of port mappings per IP address) </li></ul></ul>
  28. 29. Tunneling <ul><li>Enables a network to securely send its data through untrusted/shared network infrastructure </li></ul><ul><li>Encrypts and encapsulates a network protocol within packets carried by second network </li></ul><ul><li>Replacing WAN links because of security and low cost </li></ul><ul><li>An option for most IP connectivity requirements </li></ul>
  29. 30. Example of a Tunnel <ul><li>a router with Internet Protocol Security (IPSec) encryption capabilities is deployed as a gateway on each LAN's Internet connection. </li></ul><ul><li>The routers are configured for a point-to-point VPN tunnel, which uses encryption to build a virtual connection between the two offices. </li></ul><ul><li>When a router sees traffic on its LAN that is destined for the VPN, it communicates to the other side instructing it to build the tunnel </li></ul><ul><li>Once the two routers have negotiated a secure encrypted connection, traffic from the originating host is encrypted using the agreed-upon settings and sent to the peer router. </li></ul>
  30. 31. Virtual Local Area Networks (VLANs) <ul><li>Deployed using network switches </li></ul><ul><li>Used throughout networks to segment different hosts from each other </li></ul><ul><li>Often coupled with a trunk, which allows switches to share many VLANs over a single physical link </li></ul>
  31. 32. Benefits of VLANs <ul><li>Network flexibility </li></ul><ul><li>Scalability </li></ul><ul><li>Increased performance </li></ul><ul><li>Some security features </li></ul>
  32. 33. Security Features of VLANs <ul><li>Can be configured to group together users in same group or team, no matter the location </li></ul><ul><li>Offer some protection when sniffers are inserted </li></ul><ul><li>Protect unused switch ports by moving them all to a separate VLAN </li></ul><ul><li>Use an air gap to separate trusted from untrusted networks: </li></ul><ul><ul><li>Do not allow the same switch or network of switches to provide connectivity to networks segregated by firewalls. </li></ul></ul><ul><ul><li>A switch that has direct connections to untrusted networks (Internet) or semitrusted networks (DMZs), should never be used to contain trusted network segments as well. </li></ul></ul>
  33. 34. Vulnerabilities of VLAN Trunks <ul><li>Trunk traffic does not pass through the router, therefore no packet filtering. </li></ul><ul><li>Trunk autonegotiation – on by default </li></ul><ul><ul><li>Prevention: Disable autonegotiation on all ports and only allow trunk traffic on trunk ports </li></ul></ul><ul><li>By default, trunk links are permitted to carry traffic from all VLANs </li></ul><ul><ul><li>Prevention: Manually configure all trunk links with the VLANs that are permitted to traverse them (Pruning) </li></ul></ul>
  34. 35. Chapter Summary <ul><li>Technologies used to create network topologies that secure data and networked resources </li></ul><ul><ul><li>Perimeter networks </li></ul></ul><ul><ul><li>Network address translation (NAT) </li></ul></ul><ul><ul><li>Virtual local area networks (VLANs) </li></ul></ul>